Skip to content

Nginx improvements#950

Merged
bmw merged 6 commits intomasterfrom
jsha/nginx-improvements
Oct 12, 2015
Merged

Nginx improvements#950
bmw merged 6 commits intomasterfrom
jsha/nginx-improvements

Conversation

@jsha
Copy link
Contributor

@jsha jsha commented Oct 11, 2015

Add a server_names_hash_bucket_size directive during challenges to fix an nginx
crash on restart (Fixes #922).

Use fullchain instead of chain (Fixes #610).

Implement OCSP stapling (Fixes #937, Fixes #931).

This pull request replaces two earlier ones I sent.

cc @diracdeltas

@jsha
Nginx improvements
dd8c6d6 
Add a server_names_hash_bucket_size directive during challenges to fix an nginx
crash on restart (Fixes #922).

Use fullchain instead of chain (Fixes #610).

Implement OCSP stapling (Fixes #937, Fixes #931).

Hide Boulder output in integration tests to make them more readable.
kuba
kuba reviewed Oct 11, 2015
View reviewed changes
letsencrypt-apache/letsencrypt_apache/configurator.py Outdated
Copy link
Contributor

@kuba kuba Oct 11, 2015

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Indentation seems to be broken here, you should add 4 more spaces. I believe this was not caught due to 6604a0f and its indent-after-paren change. Same elsewhere.

kuba
kuba reviewed Oct 11, 2015
View reviewed changes
letsencrypt-nginx/letsencrypt_nginx/configurator.py
Copy link
Contributor

@kuba kuba Oct 11, 2015

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

TODO comment seems pretty easy to do. Could we implement it in this PR to avoid unnecessary race condition debugging in the future?

Copy link
Contributor Author

@jsha jsha Oct 11, 2015

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think it's a little harder than it sounds, but I'd be interested in being proved wrong. My main concerns were:
(a) Can we be sure connecting to localhost is always the right thing? (probably yes)
(b) what method do I use to connect?

For (b), urllib seems to be the obvious answer, but we'd have to disable cert checking because it would be a snakeoil cert. However, if the new config hasn't loaded, we will get a default cert, so we won't get a nice failure like we wanted. Is there an easy to use connect method that will give me back the DNSNames of the provided cert regardless of cert validity?

Copy link
Contributor Author

@jsha jsha Oct 11, 2015

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

BTW, it looks like Apache has this same problem. Filed an issue to fix for both: #954

Copy link
Contributor

@kuba kuba Oct 12, 2015

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

(a) maybe just connect to the domain in question?
(b) you can use acme.crypto_util.probe_sni for that :)

(a) and (b) together: probe_sni(domain, socket.gethostbyname(domain), config.dvsni_port)

Copy link
Contributor Author

@jsha jsha Oct 12, 2015

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Awesome, thanks! I updated the linked tickets with these. I'd like to land this as-is, since I can only really fit in client time on the weekends. But I definitely want to fix this the nice way ASAP (especially for Apache!).

This was referenced Oct 11, 2015
Closed
Closed
diracdeltas
diracdeltas reviewed Oct 12, 2015
View reviewed changes
letsencrypt-nginx/letsencrypt_nginx/dvsni.py
Copy link
Contributor

@diracdeltas diracdeltas Oct 12, 2015

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This assumes every directive has exactly two elements. I think this is okay for now, but in the future we might add something to nginxparser that does not produce directives of size 2.

@diracdeltas
Copy link
Contributor

diracdeltas commented Oct 12, 2015

lgtm

@jsha
Copy link
Contributor Author

jsha commented Oct 12, 2015

@bmw @jdkasten @pde: What's the merge policy on this repo? Should I merge based on @diracdeltas's review? Wait for a second review?

@bmw
Copy link
Member

bmw commented Oct 12, 2015

The current policy is just one "LGTM" from a core contributor. Based on @diracdeltas review, you're good to go. Merging this now. Thanks for the PR @jsha.

bmw added a commit that referenced this pull request Oct 12, 2015
@bmw
Merge pull request #950 from letsencrypt/jsha/nginx-improvements
5ca70e1 
Nginx improvements
@bmw bmw merged commit 5ca70e1 into master Oct 12, 2015
@pde pde deleted the jsha/nginx-improvements branch November 27, 2015 18:18
@rcdailey
Copy link

rcdailey commented Sep 22, 2018

I noticed that certbot is not adding the ssl_stapling and ssl_stapling_verify settings to my server block in nginx. Is this a bug?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

area: nginx area: ocsp

Projects

None yet

Milestone

No milestone

5 participants

@jsha @diracdeltas @bmw @rcdailey @kuba